On May 25th, 2018, the General Data Protection Regulation (GDPR) will come into effect across the European Union. It will affect non-EU countries including small and large Canadian organizations that do business in the EU or market to EU customer online. The General Data Protection Regulation (GDPR) is a new set of rules that require all organizations that collect and process data to have people’s clear and explicit consent for EU citizens.
The GDPR only applies to EU residents. However, in a 2016 survey on Privacy, 92% of Canadians expressed some degree of concern about protecting their privacy. About 74% of Canadians believe they have less privacy of their personal information today, compared to 10 years ago. 48% of Canadians feel they are unable to control how their personal information is collected or used by organizations. According to a global survey by Commvault, only 12 percent of organizations believe they will be compliant with GDPR by the deadline.
Many Canadian companies mistakenly believe GDPR will not affect them. While GDPR applies to any company offering goods or services to EU residents, it may extend to companies that track online activity of EU citizens. This includes any Canadian company with a website collecting information, whether or not to order a product or service or to access information. GDPR may also extend indirectly to any vendor, supplier or sub-processor relationships. The GDPR casts a wide net and companies that have third-party relationships may need to ensure they are compliant.
9 GDPR Compliant Strategies for Canadian Companies
1. Assume part of GDPR applies to your organization
Identify those areas in your company that overlap with GDPR in some way. Then create a plan to protect yourself.
2. Know and list your data assets
The list will include your company’s applications, file servers, mobile devices and cloud services. After you have your list, then check that you can quickly search across data sets and collect necessary data upon request. Micro-enterprises with less than 10 employees and revenues under $2.5 million USD, should review what personal data and the categories of data they hold.
The GDPR defines “personal data” under Article 4 of the GDPR as any information relating to an identified or identifiable natural person (a “data subject”). Personal data would help someone identify a person based on a name, identification number, location, online identifiers such as a screen name, a physical description of the person, or such identifiers as a physiological, genetic, mental, economic, cultural or social identity of the person.
3. List-building and Joining a Mailing List
If your business or website conducts any type of list-building by collecting emails, verify that everyone on the list has given explicit permission. In Canada PIPEDA, personal information collected by businesses is done by implied consent and does not meet GDPR standards, which has stricter standards. If any EU residents are in your database, then your company must provide subscribers with the right to obtain information stored about them.
4. Define and implement data collection and retention policies
Collecting and retaining data is based on the needs of your business. In the US, companies often collect as much data as possible without having a reason to collect it. The GDPR states that data collection should be minimized either by not collecting unnecessary data, by deleting it or by rendering it anonymous. Collecting data without asking for permission and storing it for later use is a serious breach under the GDPR.
6. Make it easy for a customer to request deleting their data
You need to be able to provide the customer’s information in a clear and simple manner. The GDRP extends a user’s information rights pertaining to how their data is stored. A customer’s information rights include the right to be informed, right to access, the right to resolving errors, the right to deletion, the right to restrict processing, the right to data portability, the right to object, the right to not be subject to not be profiled and the right to object to how their data is used.
6. Assign a Data Protection Officer to audit data
Organizations will need to assign a designated person to be responsible for data protection issues. For larger companies, expect to have a Data Protection Officer (DPO) handle larger-scale data requests. This person would be responsible for creating awareness of data protection requirements in the organization, staff training and managing data audits.
8. Reporting Data Breaches
The number of business that experience data breaches rise every year globally. Under GDPR, if a data breach occurs, it needs to be reported by an authorized person in your company within 3 days. A data breach may constitute data that is accidentally or unlawfully lost, altered, destroyed or damage. Additionally, any person impacted by the data breach needs to informed if there is a possibility of identity theft, financial loss or fraud.
9. Handle Large Data Requests
If your company regularly processes large amounts of lawful data requests, develop a streamlined process. The new deadline under GDPR is one month, while the previous deadline was 40 days.
It is important for small and large organizations in Canada is to not be complacent. Get started and put your house in order. Assess your data assets and manage any risk associated with exposure to EU customers. Having a strategy for data privacy protection may give organizations who are GDPR compliant a competitive advantage for some time.